Restricting network access to only authenticated users protects confidential information on the network from being compromised. Restricting access using common user authentication techniques, however, does not address network integrity issues in situations when a computer connects to more than one network. FIG. 1 shows a typical setup of a computer 100 connected to a private corporate network 141 via an Ethernet card 111 and to the public Internet 161 via a modem 112. An application 120 running on the computer has access to the two networks. This setup may give rise to security issues. For example, when the application concurrently accesses the two networks, the user of the application may inadvertently broadcast secure information from the private corporate network to the public Internet by mistakenly hitting a key that initiates such a broadcast. Or the user intending to send a packet to the private corporate network could unintentionally send the packet over the public Internet without proper security protection. For another example, a remote computer also connected to the Internet can access the application 120 through computer 100's Internet connection and, from there, access the private corporate network 141. Thus, because the application 120 has concurrent access to the two networks, it presents a security “hole” exploitable by remote computers.
Current operating systems do not guard against security risks such as those mentioned above. A typical operating system allows for the establishment of an insecure channel linking private and public network connections that may result in an unprivileged application accessing confidential information maintained in the private network. In conventional operating systems, it is difficult to enforce a policy forbidding an application from accessing public networks like the Internet while the application is connected to a private network. Such a policy can be defeated by a user using a phone line to connect to the Internet, which circumvents a firewall regulating access to the private network. Moreover, remote users of a private network may have no practical recourse but to use a public network like the Internet to create a Virtual Private Network (VPN) connection to the private network. But the VPN connection to the private network simultaneously connects the computer to both the secured private network and the unsecured public Internet. In a manner similar to the example given above, a remote computer also connected to the Internet can access the computer via the Internet and then access the private network via the VPN connection.
In general, an application concurrently accessing two networks creates a security breach point. Further, the computer may have access to resources other than the networks, for example, a local file system or a network printer. In these instances, similar security problems may be caused by concurrent access. For example, a user's local files may be compromised by the user mistakenly printing the files on the network printer. These examples can be generalized into a multiple, concurrent resource access problem by regarding the connection to the private network, the connection to the Internet, and the connection to the network printer as resources in a multiple-resource environment.
As shown in FIG. 1, the computer provides access to five resources, represented by R1 140, R2 113, R3 114, R4 115, and R5 160, wherein R1 is the connection to the private network, and R5 is the connection to the Internet. The possible dangers of concurrently accessing pairs of the resources are reflected in the entries in Table 1.
TABLER1 - R5: Resources 1 - 5R1R2R3R4R5R1—safesafedangerdangerR2—safedangerdangerR3—dangerdangerR4—safeR5—According to Table 1, any combination of R1, R2, and R3 is safe, and the combination of R4 and R5 is safe. Other combinations are dangerous. Similar to the case of the application concurrently accessing the private network and the Internet, for example, it is dangerous for the application to concurrently access R3 and R4.
Thus it is desirable to have a method for managing access to multiple resources that enforces security considerations such as those in Table 1. Currently, many operating systems, applications, and hardware devices provide methods of either setting up security access to a resource or enhancing the security connection to a resource. But none of them provides a method of managing concurrent access to multiple resources.